McAfee HISCDE-AB-IA Product Guide - Page 143
IIS - Start, New Process: Pid
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 143 highlights
Appendix B - Troubleshooting Host IPS logs When the log_rotate_size_kb specified size has been exceeded, the file is closed and renamed with the suffix .1. If a file with that name already exists, the suffix is incremented by one. When the specified number of backup files is reached, the oldest is deleted. NOTE: When collecting data for incidents escalated to McAfee Support, we strongly recommend that the debug_enabled registry value be created and set to 1. This registry value logs all Host and Network IPS events to HIPShield.log, regardless of the Log Status setting under signature properties. Be sure to stop the service, delete old log files, restart the service, and perform the reproduction. This minimizes the size of the log files. What are things to look for in HipShield.log? A run of the Host IPS component begins with a banner statement that identifies the build run and the date/time stamp of the session. Each entry of the HipShield log shows a date/time stamp, followed by an indication as to whether this data is informational, debugging, or error. The data contained in the HipShield is ad-hoc, and differs between portions of the Host IPS component. Key areas of interest: • Lines beginning with In install modules new describe the copying of files as part of the start of the Host IPS component. Failure to copy these files prevents the Host IPS component from starting. • A line beginning with Scrutinizer initialized successfully indicates that loading of the Host IPS component has been successful up through the initialization of the Scrutinizer, which depends on the above-mentioned files having been copied properly. • A line beginning with New Process: Pid= indicates the Host IPS component is able to monitor process creation. • A line beginning with IIS - Start indicates that IIS monitoring is beginning. • A line beginning with Scrutinizer started successfully ACTIVATED status indicates that the Scrutinizer has successfully started. • A line beginning with Hooking xxx indicates that process hooking is proceeding. The number xxx indicates the PID (process ID) of the process being hooked. • A series of lines beginning with Processing Buffer xxx.scn is reporting the results of the Scanner processing of scanfile xxx.scn, where xxx is a name like EnterceptMgmtServer, as shown above. Errors in the Scanners processing of scan files are reported here. • Lines in the format signature=111 level=2, log=True report that an individual signature has been loaded. The signature ID and level are included along with an indication of whether logging is enabled for this signature. NOTE: Shield.db and except.db are created in the same directory as the logs only when debugging is enabled. These files contain a dump of the rules and exceptions that are sent to the kernel after the AgentNT.dll has processed the content. Which log files are associated with the firewall component? The primary log files for the Firewall component and what they contain: Name FireSvc.log Description Main service log Contains this data • Debug level logging • Location matching output • TrustedSource connection rating output • Errors/warnings McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 143